SOC Analysts Can Now Use ANY.RUN Malware Sandbox with Splunk

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Splunk users can now leverage ANY.RUN’s sandbox and threat intelligence directly within their Splunk SOAR environment. This allows for the analysis of suspicious files and URLs within the ANY.RUN sandbox while enriching investigations with threat data from TI Lookup. 

It offers various actions, ranging from basic reputation checks to full detonation and analysis of potential threats. It streamlines the process by allowing users to stay within the familiar Splunk interface throughout the investigation. 

Official page of ANY.RUN’s connector for Splunk

Splunk SOAR empowers security analysts with comprehensive threat intelligence through direct integration, which allows querying ANY.RUN’s threat intelligence database directly within the platform uses the “get intelligence” action. 

This functionality extends to TI Lookup’s database as well, enabling analysts to leverage a wider range of threat data for more informed decision-making during security investigations. 

Automated Malware Analysis 

It automates malware analysis by detonating files and URLs within its sandbox, which can be triggered from a Splunk SOAR playbook, enabling automated analysis of suspicious attachments or downloads. 

perform file analysis, collect IOCs, get IP reputation, and more

The sandbox provides a detailed report that includes extracted indicators of compromise (IOCs) and IP reputation data. Additionally, users can access any analysis session for further manual investigation or deeper threat understanding.  

Integrate ANY.RUN solutions in your organization – Get Free Access

Advanced Threat Hunting 

ANY.RUN offers two key functionalities for post-analysis: detailed reporting and advanced threat hunting. The “get report” action provides a quick verdict on the submitted sample’s threat level, while the interface allows deeper exploration of specific analysis results. 

For advanced users with a TI License, the “get intelligence” action unlocks powerful threat intelligence queries, which allows searching ANY.RUN’s database uses technical indicators like file hashes, IP addresses, domains, or even MITRE ATT&CK techniques identified during previous analyses. 

Threat Intelligence Lookup lets you use dozens of search parameters

Essentially, ANY.RUN empowers users to assess sample risk and conduct comprehensive threat investigations efficiently. 

This Splunk SOAR playbook tackles potential phishing emails, and upon triggering, it extracts URLs and attachments. For URLs, it checks reputation on ANY.RUN, as new or suspicious ones are detonated in a sandbox using the ‘detonate url’ action. 

Attachments undergo analysis similar to that of a ‘detonate file’. The playbook then retrieves reports and Indicators of Compromise (IOCs) via ‘get report’ and ‘get iocs’ actions. 

Finally, these IOCs are leveraged to automatically update firewall rules, initiate endpoint scans, or create new SIEM detection rules. 

Splunk connector details

Leverage the ANY.RUN integration for Splunk SOAR by configuring a new ANY.RUN asset; for that, users need an ANY.RUN account with API access (Hunter or Enterprise plan recommended). Provide the Any.Run base URL and the API key from the Any.Run profile. 

Don’t forget to set a default timeout for API requests. Once configured, Splunk SOAR playbooks and analysts can directly utilize Any.Run actions for analysis, which simplifies the process of integrating ANY.RUN sandboxing capabilities into the Splunk SOAR environment.

Explore all features of ANY.RUN, including the private mode and extra VM settings, by Requesting a 14-day Free Trial!